Level 2: Unauthorised Authenticated Access
Task
The next level is fairly similar, with a slight twist. You're going to need your own AWS account for this. You just need the free tier.
Resolution
Creating an AWS Account:
The first step is to create an AWS account. Go to AWS and create a user.
Once the account is created, install the AWS CLI by running:
sudo apt install awscliThis will install the AWS CLI to interact with AWS services from your terminal.
Obtaining AWS Access Key ID and AWS Secret Access Key:
To get the credentials, go to the AWS Console and search for 'IAM'.
On the left sidebar, navigate to Users > Create User.
Fill in the required details.
Once the user is created, go back to the user's page and create the access keys.
Configuring AWS CLI: With the keys obtained, run the following command in your terminal:
aws configureYou will be prompted to input:
Access Key ID -> Public key
Secret Access Key -> Secret key
Default region name -> us-east-1
Default output format -> json
To verify if the configuration is correct, run:
aws s3 lsIf it returns an empty result, the configuration is correct.
Finding the Flag: Now that everything is set up, we are ready to find our flag.
As we saw, aws s3 ls lists a bucket, but we need to specify our user profile. For that, we use --profile default. The command would look like this:
aws s3 --profile default ls s3://<url>.flaws.cloud
And if we visit the secret URL:
Lesson Learned
Similar to opening permissions to "Everyone", people accidentally open permissions to "Any Authenticated AWS User". They might mistakenly think this will only be users of their account, when in fact it means anyone that has an AWS account.
Examples of this problem
Open permissions for authenticated AWS user on Shopify (link)
Avoiding the mistake
Only open permissions to specific AWS users.
This screenshot is from the webconsole in 2017. This setting can no longer be set in the webconsole, but the SDK and third-party tools sometimes allow it.
Last updated